This is an internal documentation. There is a good chance you’re looking for something else. See Disclaimer.

Handling of new Domains (DKIM/SPF Records, Etc.)


Defense against spam:

  • Make it harder to abuse domain for phishing

  • Stop spam

Customers perspective:

  • Don’t allow sending mails in our name

  • Ensure legitimate mails aren’t classified spam or rejected

What’s Needed for DKIM

For DKIM one DNS records is required that identical for all customers, installations and domains.

See Create DKIM Record

What’s Needed for SPF

For SPF a DNS records is needed that includes our SPF policy (

See Create SPF Record

In the wild you’ll encounter …:

  1. … domains that already have a SPF record.

    In which case you insert

    So, this:

    v=spf1 ip4: -all


    v=spf1 ip4: -all

    ( can appear anywhere between v=spf1 and -all.)

  2. … domains that have no SPF records yet.

    In this case we’ll have to find out what other providers send mails using the domain.

    Common examples for other providers:



    SPF Policy


    ? (required record varies)









    Marketing mails


    Marketing mails

    MS Office365


    It’s also common to send mails from ones own machines:


    Example policy

    specific IP

    ip4: or ip6::2000:4e8::1

    specific IP range

    ip4: or ip6::2000:4e8::/48

    specific host

    Essentially we’ll have to create a SPF record like this:

    v=spf1 [OTHER_PROVIDERS]... -all

Who has to Update the Records

In most cases DNS is managed by the customer or a third party.

Some domains are managed by us. In this case we have to make DNS adjustments ourselves.

See also Who has to Update the DNS Record?.

How to Collect the Required Information

Phase 1: Collect Domains Customer wants to Use

When is the information collected and who collects it?

  1. New customers / initial domains:

    Information is collected during preliminary project phase.

  2. Existing customer / new domains:

    Project manager, BS or sales receive request to add or remove domain(s).

What information is needed?

  • What domains will be used to access Tocco via browser (webpage hosted in Tocco, intranet and backoffice)?

    (Existing customers: what domains need to added or removed.)





  • What domain will be used in email sender addresses?

    (Existing customers: what domains need to be added or removed.)

    One domain is required to be able to send basic system mails. For instance, to be able to reset ones password.


    • (includes

    • (includes

What to do with the collected information?

Create a ticket for BS describing what domains need to be added or removed. From that point on BS will handle all that’s required. This includes further inquiries, communicating the required DNS changes, and issuing TLS certificates.

Phase 2: Perform Required Changes / Contact Customer (BS)


This is done by BS after receiving a ticket.

What needs to be done?


  • Check current SPF record. Online tool: SPF validation.

  • If none exists, ask the customer what other services send mails for that domain. Then construct a new SPF record. See also What’s Needed for SPF above.

  • If one exists, have inserted into the record


  • Check current DKIM record. Online tool: dnslookup (replace ‘’ with actual domain)

  • If it doesn’t exists yet, have it added. See Create DKIM Record.

See Also